Derek Williams

Menu

Category Archives: Lifehacks

Localnews sites are notorious for low signal-to-noise ratios. The news content is good, but that’s often crowded out by excessive ads, Flash videos, runaway JavaScript, and animated GIFs. These things make 90s websites look clean and elegant. I get seasick visiting them.

My typical antidote has been to just stick to RSS, and let blockers like Chrome’s Click to Play squelch things when I have to visit the site. But the Atlanta Journal-Constitution (AJC) recently broke their RSS feeds while at the same time expanded their JavaScript and floating div monstrosities. What’s a guy to do when he just wants to read the latest Falcons and Georgia Tech news?

Well, I took the nuclear solution and went with lynx. Yes, lynx: the old text mode browser. Whenever I want to read content from the AJC or similar news sites, I just fire it off from the command line and browse away. It works well, and I can do a quick news check in no time. Hopefully, the AJC won’t start disallowing or punishing lynx use.

It’s Friday, and time again for some Friday Fixes: selected problems I encountered during the week and their solutions.

You know the old saying, “build a man a fire and he’s warm for a day; set a man on fire, and he’s warm for the rest of his life.” Or something like that. I’ve been asked about tool preferences and development approaches lately, so this week’s post focuses on tools and strategies.

JRebel

If you’re sick of JVM hot-swap error messages and having to redeploy for nearly every change (who isn’t?), run, do not walk, to ZeroTurnaround‘s site and get JRebel. I gave up on an early trial last year, but picked it up again with the latest version a few weeks ago. This thing is so essential, it should be part of the Eclipse base.

My DB2 tool of choice depends on what I’m doing: designing, programming, tuning, administering, or monitoring. There is no “one tool that rules them all,” but my favorites have included TOAD, Eclipse DTP, MyEclipse Database Tools, Spotlight, db2top, db2mon, some custom tools I wrote, and the plain old commandline.

I never liked IBM’s standard GUI tools like Control Center and Command Editor; they’re just too slow and awkward. With the advent of DB2 10, IBM is finally discontinuing Control Center, replacing it with Data Studio 3.1, the grown-up version of the Optim tools and old Eclipse plugins.

I recently switched from a combination of tools to primarily using Data Studio. Having yet another Eclipse workspace open does tax memory a bit, but it’s worth it to get Data Studio’s feature richness. Not only do I get the basics of navigation, SQL editors, table browsing and editing, I can do explains, tuning, and administration tasks quickly from the same tool. Capability wise, it’s like “TOAD meets DTP,” and it’s the closest thing yet to that “one DB2 tool.”

Standardized Configuration

For team development, I’m a fan of preloaded images and workspaces. That is, create a standard workspace that other developers can just pick up, update from the VCS, and start developing. It spares everyone from having to repeat setup steps, or debug configuration issues due to a missed setting somewhere. Alongside this, everybody uses the same directory structures and naming conventions. Yes, “convention over configuration.”

But with the flexibility of today’s IDEs, this has become a lost art in many shops. Developers give in to the lure of customization and go their own ways. But is that worth the resulting lost time and fat manual “setup documents?”

Cloud-based IDEs promise quick start-up and common workspaces, but you don’t have to move development environments to the cloud to get that. Simply follow a common directory structure and build a ready-to-use Eclipse workspace for all team members to grab and go.

Josh is taking it to extremes, but he does have a point: developers’ lives are often too hectic and too distracted. This “do more with less” economy means multiple projects and responsibilities and the unending tyranny of the urgent. Yet we need blocks of focused time to be productive, separated by meaningful breaks for recovery, reflection, and “strategerizing.” It’s like fartlek training: those speed sprints are counterproductive without recovery paces in between. Prior generations of programmers had “smoke breaks;” we need equivalent times away from the desk to walk away and reflect, and then come back with new ideas and approaches.

I’ll be following to see if these experiments yield working solutions, and if Josh can stay employed. You may want to follow him as well.

Be > XSS

As far as I know, there’s no-one whose middle name is <script>transferFunds()</script>. But does your web site know that?

It’s surprising how prevalent cross-site scripting (XSS) attacks are, even after a long history and established preventions. Even large sites like Facebook and Twitter have been victimized, embarrassing them and their users. The general solution approach is simple: validate your inputs and escape your outputs. And open source libraries like ESAPI, StringEscapeUtils, and AntiSamy provide ready assistance.

But misses often aren’t due to systematic neglect, rather they’re caused by small defects and oversights. All it takes is one missed input validation or one missed output-encode to create a hole. 99% secure isn’t good enough.

With that in mind, I coded a servlet filter to reject post parameters with certain “blacklist” characters like < and >. “White list” input validation is better than a blacklist, but a filter is a last line of defense against places where server-side input validation may have been missed. It’s a quick and simple solution if your site doesn’t have to accept these symbols.

I’m hopeful that one day we’ll have a comprehensive open source framework that we can simply drop in to protect against most web site vulnerabilities without all the custom coding and configuration that existing frameworks require. In the mean time, just say no to special characters you don’t really need.

Comments Off

On that note, I’ve turned off comments for this blog. Nearly all real feedback comes via emails anyway, and I’m tired of the flood of spam comments that come during “comments open” intervals. Most spam comments are just cross-links to boost page rank, but I also get some desperate hack attempts. Either way, it’s time-consuming to reject them all, so I’m turning comments off completely. To send feedback, please email me.

Friday Fragments served a useful purpose, one of which was regularity: funny how Fridays kept coming around. While I haven’t been in pedagogical fragment mode for awhile, I encounter real life puzzles every day. Sharing these often helps others who encounter the same problems, or even myself when I need a quick reference down the road. I just need a reminder and motivator to stop and record these. I suppose Friday is as good as any.

So here goes the first installment of Friday Fixes: selected problems I encountered during the week and their solutions, along with other sundries.

Spring Loading

Like most form tags, binding a multi-select list in Spring MVC is easy: deceptively so. All you need is this, right?

And, of course, the model attribute and/or bean methods to return the allChoices collection and get/set myFavorites. Well, not so fast. Turns out, multi-select lists in Spring MVC have always been a bit of a pain, particularly when it comes to making the initial selections (convincing Spring to add the selected attributes) on initial page load. One pre-selection is fine, but with multiples, the comma-separated list pushed back into the model’s setter is a one-way trip.

Solving this in prior versions of Spring required using an InitBinder whether you otherwise needed one or not. But for Spring MVC 3, the fix is to just map to collection getter/setters, even if your model wants to use the comma separated list. For example, use the following getter and change the form:select path to use it: path=”myFavoritesList“.

Between the deadlock event monitor, db2pd, and snapshots, DB2 has long provided good tools for tracking down deadlock culprits. But for lock timeouts, not so much. The DB2 folks have tried to improve things lately, but they’ve changed their minds a lot, often adding new tools and then quickly taking them away.

Now that lock timeout event monitors are finally here, many of the other new approaches like db2_capture_locktimeout and db2pdcfg -catch (with db2cos call-out scripts) have been deprecated. A coworker was concerned about the passing of db2_capture_locktimeout, but it appears it’ll be around a little longer. For example, the following still works in even the latest 9.7 fixpacks.

Repeat the last two commands in another DB2 Window and then wait for the timeout. Look for the report under your DIAGPATH, SQLLIB, or Application Data folder; for example: dir db2locktimeout*.* /s. Even with the latest 9.7 fixpacks, the timeout report can occasionally have some holes in it (like missing SQLs), but it’s still quite useful.

Flexigrid Incantation

Got a Flexigrid with a radio button? Want to fetch the value of a column on the radio-selected row? Well, when Flexigrid generates the tds and divs from your colModel, it provides abbr attributes, not ids. So the usual jQuery shorthands to find by ID don’t apply, and you’re off chasing the more obscure abbr. For example:

We all endure software that seems to grow worse with each upgrade; for me, that includes Ubuntu, the Weather Channel App, and Flash. I try clinging to the “oldies but goodies” for as long as I can (for example, I use my 9.10 Ubuntu VM far more than my 11.04 one), but forced upgrades are usually inevitable. Flash is one very necessary evil that must be kept current: it’s either upgrade or stop using some sites.

After a brief period of continually-improving releases, Flash is giving me fits again, at least with the 10.3 version. I’m again getting bizarre behavior with sites like Nike+, requiring periodic work-arounds. One often effective fix for Flash problems is to clear its cache. Fortunately, that’s a quick process:

Perhaps the only thing Microsoft Terminal Services Client (mstsc, a.k.a, Remote Desktop Connection) has going for it is ubiquity. Since it installs with Windows, it’s often the only remote access option available for a new machine; that is, until you log in and install something else. One thing it definitely does not have going for it is a feature set like, say, a menu.

I found myself stuck in a Droste effect with nested mstsc sessions today while installing OpenSSH on a new Windows 2003 server. Because this machine is in our DMZ, it takes two mstsc hops to get to it. In the process I needed to give the innermost session the Ctrl+Alt+Delete three finger salute. But how? Unlike VNC, Radmin, and other remote control tools, there is no menu containing this option. I vaguely recalled some weird key combination to reach to the end of this mise en abyme, but could not get it right.

After a bit of googling and trial and error, I came up with this:

In the first session, open the Windows on screen keyboard. Oddly, this wasn’t on the accessibility menu, so I had to run osk.exe directly.

Use osk to type Ctrl+Alt+End. This sends a Ctrl+Alt+Delete to the inner session.

I’ve seen an uptick lately in phishing emails that do a much better job of replicating legitimate ones. For example, I’ve received several that look like Amazon orders or LinkedIn reminders. In all cases, the email content is a dead ringer for kosher ones except that the content (book titles, names, etc.) is unfamiliar, and if I mouse over the embedded links, the target URL is fishy indeed. And therein lies the purpose: to get unsuspecting recipients to click one of those links, visit its site, and receive malware.

Identifying and stopping these emails was easy. Since they arrived at my Gmail account, I created some quick filters to corral them. On closer inspection, I found that they were sent to a couple of my forwarded email addresses, so I simply turned off those forwards at my domain host. And that provided some insight into the source: one was an old address I had given out only to InformationWeek. Have they been selling or otherwise disclosing my email address?

Google’s anti-phishing initiatives have had mixed success. Their phishing filter has been criticized for too many false positives, their DKIM initiatives have had too little uptake, and their “authentication icon for verified senders” is much too passive-aggressive. But this has perhaps a simple solution: flag any email with embedded links where the target URL’s domain differs from the sender’s domain. Perhaps this could be done with some creative filters or a Gmail gadget. If these things come back, I’ll give it a shot.

During my freshman year at Georgia Tech, Tina gave me a coffee mug depicting green bar paper bearing the words “While the Computer is Down…” repeating in a Westminster font. That old phrase registered at that time because I then did most of my programming assignments on an overworked and frequently-crashing CDC Cyber (I needed at least sophomore status to use the Xerox Stars, HP 9000s, and other more modern machines). Restarts usually took 20 minutes or more, and there was nothing we could do but wait. So, at the very least, “Cyber is down” meant we could enjoy a good coffee break.

My first real job put me alongside seasoned mainframe programmers who knew well how to handle outages: step away from the green screen, talk a walk, visit the cafeteria, catch up on techniques, chat with friends, and so on. These guys would often swing by my office while I was pecking away at my LAN-connected PCs and servers, totally unaware of the outage. And they were usually pretty good at convincing me to join them in their forced break.

The advent of the personal computing era meant that any outage was under my own control, and there was always a suitable backup nearby. So “always on” became a way of life: if my PC, laptop, PDA, pager, or cell phone died, I typically had several alternatives to turn to. This removed all excuses for ever being disconnected, and we grew to expect 24×7 access to everything. The unexpected result was that, in making these redundant devices slaves to us, we became slaves to them.

Now, of course, cloud computing is chipping away at that and pushing us back into a bygone era when folks were at the mercy of whatever was at the other end of a dumb terminal. As more of what I do gets pushed out into the cloud, I lose more control. Remote VPSes, VMs, and EC2s replace local servers, Gmail and GCal replace Outlook, Mint replaces Quicken, and so on. I have multiple ways to access all these things, but there’s still just one of each of these services out there. And along with that, we get back the shared computing pecking order: paying customers with SLAs get all the redundancy, fail-over, and guaranteed up-time, while smaller and free users rank somewhere below computer science freshmen.

So downtime has again become a part of life. Just recently, I was affected by extended outages at Visa, Chase and Intuit, and shorter outages at less critical sites: Google, 1and1, MapMyrun, Facebook, Weather.gov, etc. What can one do when such outages occur? Not much, other than find something else to do, like take a coffee break. And that’s not always such a bad thing.

I don’t miss frequent flying, mainly for one reason: there is no longer any slack in the system. Airlines have optimized to the point that almost all flights are nearly full and are often overbooked. Toss a storm or failure into this machine and it can take seemingly forever to get furious passengers on canceled flights home. I still have haunting memories of being stuck in Newark for 28 hours following a relatively small snow storm watching five overbooked flights to my destination leave before me (and I was holding a Class Y ticket, no less). In the midst of all of this overclocked chaos, I’m pleased when I can drive rather than fly.

Ignoring the Obvious

This is essentially the point Tom DeMarco makes in his book Slack: Getting Past Burnout, Busywork, and the Myth of Total Efficiency. From the very outset, he states it plainly: “the more efficient you get, the harder it is to change.” Trouble is, change happens. And when it does, the end results to an over-optimized company aren’t pretty: angry customers, missed opportunity, diminishing revenues, and obsolescence.

DeMarco’s book is a quick read, and many of his points are painfully obvious, yet painfully missed. For example, he describes:

How “ax-wielding crazies… trade away the future to make the present look a little more rosy”

The problems that come with treating employees as “fungible resources”

How the net result of the Hurry Up mantra is really Slowing Down

The value of human capital and the real costs of losing employees

The myth that information work can be rushed (“people under time pressure don’t think faster”)

While the book is nearly a decade old, DeMarco’s advice is now even more needed, but less heeded. Our times place even more emphasis on cost-cutting in lieu of potential, short-term profits instead of investment, regulation in lieu of innovation, and so on. That explains the common large company strategy of “cut costs, stop innovating, and hope to make it up with acquisitions” (and why those acquisitions are ultimately so expensive). I would argue it’s also a primary systemic cause of our current economic woes. It’s essentially the thrift paradox: if everyone is cutting costs, no-one will grow.

Yet I think DeMarco would be pleased that, against prevailing government and business winds, today’s most successful companies have done exactly what he prescribes. IBM’s Think Fridays come to mind, but perhaps a better-known example is Google’s 20% Time.

A typical corporate cost-cutter would not tolerate such a thing. After all, how much revenue does Google get directly from Gmail, Google Talk, Google News, Google Sky, and the other 20% projects? Almost none, when compared to their massive advertising revenues. So an astute efficiency expert might find 20% “fat” that he could cut out of Google’s expense equation.

But over half of Google’s products originated in this 20% time, and these projects have dramatically improved the reach, goodwill, and public impression of Google. As eWeek puts it, they “gain more influence over the internet landscape.” It keeps them highly relevant, and helps prevent them from going the way of Alta Vista and Ask Jeeves (if those names aren’t familiar, just google them or gmail me). And this week’s unveiling of Instant search is yet another example of Google’s proactive change; one that bean-counters might argue is an unnecessary and cannibalistic change.

Just Ask Yourself

While DeMarco writes in abstract terms, many of the mistakes he describes are quite familiar. I don’t know how these problems look in a manufacturing company or utility, but I’ve seen them in technology and software companies. So I would propose the following litmus tests. If you answer “no” to one or more of these, you might be a breakneck.

Are my R&D and revenue pipelines diverse? Instead of expecting one or two big new product investments to pull off a revenue miracle, am I spreading the risk across a portfolio of new product developments knowing that some will fail and some will succeed?

Do I routinely solicit new product ideas from my employees (who may see opportunities that I miss)? And do I act on these?

Am I significantly investing in R&D, including “skunkworks” projects?

Am I giving my employees time to innovate?

Is my company giving back to the open source movement, or is it “all take and no give?”

Am I encouraging career development in my employees, instead of treating them as “fungible resources”?

Am I allowing time in schedules for unknowns and risks?

The solution to many of these problems is simple: do business the old fashioned way. Think long term. Invest broadly in the future. Hire good people and value them. Don’t lay off or outsource just because you can. Look beyond just this quarter’s financial results. In short, make room for change and cut the world some slack.

Given recent questions about my Droid phone, perhaps it’s time to post again about it. This time, I’ll offer tips on battling two common Droid demons.

1. The condensation poltergeist. The tiniest amounts of condensation can make Droid’s touch screen act possessed. The Ghost of Droid will scroll automatically, start apps, search for things, make phone calls, and wreck all sorts of direct-manipulation havoc. And there’s no point in fighting it: it’s much faster than you, and when it takes over, it’s usually impossible to win the battle and override it. A locked screen offers some protection against emailing your boss or calling Tokyo without your consent; in this case, it can only repeatedly try to draw out your unlock pattern, usually resulting in a series of “wait 30 seconds” holds. It’s entertaining to watch, but annoying to say the least.

This weird phenom has been ascribed to viruses, chargers, and other hardware and software issues, but, in my experience, it’s always due to condensation on the touch screen. And since it requires so little moisture, it’s hard to predict when it will happen. It has happened to me upon walking into an indoor pool area, and inside my car after a long run.

As long as you keep your Droid at 70 degrees and 40% humidity (perhaps in the raised floor area of your personal data center), you’ll be fine. For those of us in the real world (and who like Georgia summers), just stop using it when it happens, turn it off, be patient, and wait for it to dry out. You can help it along by bringing it back into the air conditioned indoors or using a blow dryer on a cool setting.

2. The grim reaper ringer. That “slide to answer” control and dexterity test works great at preventing accidental unlocks and butt calls. So great that if you try it while driving, you’re as likely to annihilate as answer. An early Android update made it slightly easier (straight rather than curved slide), but it’s still difficult. Most bluetooth headsets provide an alternative, but if you’re not headsetting it, it’s best to just pull over before attempting to answer, or simply miss the call and return it later. Answering that call is not worth crashing into the ditch or oncoming traffic.

I’ve heard that the latter problem will be fixed soon in an Android (software) update, but the touch screen issues will probably have to wait for a new phone (gotta love “new every two”). My next phone will almost certainly be an Android, but probably won’t be a Motorola Droid.

Typical Wednesday. One of my meetings for today was a conference call where I expected to remain mainly in listening mode. So I attempted some of my own work during the call, making good use of the speaker and mute button. I am male, but can usually handle two things at once.

But during the course of that one hour session, I got two cell phone calls, five urgent emails, IMs from four co-workers, and many more questions than expected from the call. It came to a few dozen separate topics, far exceeding my “two plus or minus seven” capacity. Postponing non-urgent interruptions helps, but increases my backlog queue length. Yet responding “on demand” often leads to dropped interrupts and increased interrupt latency. It can be tough to maintain the balance.

Careful thoughtwork requires focus and concentration, and interruptions can quickly wreck that. I was reminded of Larry Constantine’s classic essay, Irksome Interruptions. In it, he wittily suggests that programmers adopt the nomenclature of CPU interrupt handling to deal with this problem. It’s a geeky way to go about things, but handled this way, an “interrupt request” becomes short enough not to derail a thought process. Want to chat with someone who might be busy at task? Just ask “IRQ?” (pronounced “irk?”). If it’s a good time, they’ll “ACK” you, which buys a moment to “save state” before “servicing your interrupt.” If it’s a bad time, they can just answer “NAK” (negative acknowledge), and you know to try later, with no harm done (no thought process wrecked). And someone who has developed a habit of frequent interruptions might be labeled IRQsome.

Constantine wrote his essay before our work environments had so many more interrupt request lines to service. Multiple IMs and chat rooms, multiple phones, and emails arriving at high rates add to classic face-to-face interruptions. And the economy was better then (and engineer-to-workload ratio higher), so folks weren’t pulled in so many different directions. Yet his suggestions are compelling, and I do exchange “irq”s, “ack”s, and “nak”s (over IM) with one co-worker who has also read the old essay. The classic instant messaging “yt?” also works, provided one is willing to answer “n” or “no” when not prepared to be mentally there.

A friend and fellow Droidian asked me today what my favorite free Android apps were. I really didn’t know where to begin because I use so many of them so regularly. This includes, of course, the preloaded ones: music, calendar, gmail, browser, maps, navigation, talk, contacts, messaging, YouTube, Picasa, etc., etc.. But to answer the question, I thought I’d jot down a list of some of my favorite free Market downloads here: